Hackers Steal Microsoft Signing Key from Windows Crash Dump

Microsoft has confirmed that the Storm-0558 Chinese hacker group successfully obtained a signing key, which they later used to infiltrate government email accounts, by exploiting a Microsoft engineer’s corporate account.

The compromised signing key led to unauthorized access to Exchange Online and Azure Active Directory (AD) accounts in approximately two dozen organizations, including prominent U.S. government agencies like the U.S. State and Commerce Departments.

The attackers took advantage of a now-patched zero-day vulnerability within the GetAccessTokenForResourceAPI, allowing them to create counterfeit signed access tokens and assume the identities of individuals within their target organizations.

During their investigation into the Storm-0558 attack, Microsoft discovered that the compromised Microsoft Service Account (MSA) key had inadvertently found its way into a crash dump following the crash of a consumer signing system in April 2021.

Despite the crash dump not intended to contain such critical signing keys, a race condition led to its inclusion. Subsequently, this crash dump was mistakenly transferred from the company’s isolated production network to its internet-connected corporate debugging environment.

The threat actors succeeded in locating the key after successfully compromising a Microsoft engineer’s corporate account, which had access to the debugging environment inadvertently housing the key as part of the April 2021 crash dump.

Microsoft disclosed, “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key,” adding that the issue had been rectified, and their credential scanning methods had been improved.

Although Microsoft initially reported that only Exchange Online and Outlook were affected when it disclosed the incident in July, security researcher later revealed that the compromised Microsoft consumer signing key provided Storm-0558 with broad access to various Microsoft cloud services.

This includes managed Microsoft applications, such as Outlook, SharePoint, OneDrive, and Teams, as well as customers’ applications that support Microsoft Account authentication, including those who allow the ‘Login with Microsoft’ functionality.

“The old public key’s certificate revealed it was issued on April 5th, 2016, and expired on April 4th, 2021,” she added.

Microsoft later clarified that the compromised key could only be exploited in apps that accepted personal accounts and were vulnerable to the validation error exploited by the Chinese hackers.

In response to the security breach, Microsoft invalidated all MSA signing keys to prevent threat actors from accessing other compromised keys. This action effectively thwarted any further attempts to generate new access tokens. Furthermore, Microsoft relocated recently generated access tokens to the key store used by its enterprise systems.

Following the revocation of the stolen signing key, Microsoft found no additional evidence of unauthorized access to customer accounts using the same authentication token forgery method.

Under pressure from the Cybersecurity and Infrastructure Security Agency (CISA), Microsoft agreed to provide expanded access to cloud logging data free of charge, aiding network defenders in detecting similar breach attempts in the future.

Prior to this decision, such logging capabilities were exclusively available to customers with Purview Audit (Premium) logging licenses, leading to criticism for hindering organizations in promptly identifying Storm-0558’s attacks.

Leave a Comment

Your email address will not be published. Required fields are marked *